
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Ofiice 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 14S0 

Alexandria, Viisima 22313-1450 
www.uspto.gov 



APPLICATION NO. 


FILING DATE 


FIRST NAMED INVENTOR 


ATTORNEY DOCKET NO. 


CONFIRMATION NO. 


10/092,814 


03/07/2002 


Yoshihito Taninaka 


3620-P02831US0 


7974 



110 7590 06/01/2005 

DANN, DORFMAN, HERRELL & SKILLMAN 
1601 MARKET STREET 

SUITE 2400 

PHILADELPHIA, PA 19103-2307 



EXAMINER 



CERVETTI. DAVID GARCIA 



ART UNIT 



PAPER NUMBER 



2136 

DATE MAILED: 06/01/2005 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 



kJTTICB MCiion ouniniary 

I 
i 


Application No. 
10/092,814 


Applicant(s) 

TANINAKA ET AL 


Examiner 

David G. Cen/etti 


Art Unit 

2136 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 
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DETAILED ACTION 

Drawings 

1 . The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(5) 
because they do not include the following reference sign(s) mentioned in the 
description: 56, 57 (page 21, lines 2-3). Corrected drawing sheets in compliance with 
37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the 
application. Any amended replacement drawing sheet should include all of the figures 
appearing on the immediate prior version of the sheet, even if only one figure is being 
amended. Each drawing sheet submitted after the filing date of an application must be 
labeled in the top margin as either "Replacement Sheet" or "New Sheet" pursuant to 37 
CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be 
notified and informed of any required corrective action in the next Office action. The 
objection to the drawings will not be held in abeyance. 

Specification 

2. Applicant is reminded of the proper language and format for an abstract of the 
disclosure. 

The abstract should be in narrative form and generally limited to a single ' 
paragraph on a separate sheet within the range of 50 to 150 words. It is important that 
the abstract not exceed 150 words in length since the space provided for the abstract 
on the computer tape used by the printer is limited. The form and legal phraseology 
often used in patent claims, such as "means" and "said," should be avoided. The 



Application/Control Number: 10/092,814 Page 3 

Art Unit: 2136 

abstract should describe the disclosure sufFiciently to assist readers in deciding whether 
there is a need for consulting the full patent text for details. 

The language should be clear and concise and should not repeat infornnation 
given in the title. It should avoid using phrases which can be implied, such as, "The 
disclosure concerns," "The disclosure defined by this invention," "The disclosure 
describes," etc. 

3. The disclosure is objected to because of the following informalities: 
"countermeasure been taken" (page 3. Iine23), "that have not be dealt" (page 4, lines 6- 
7), Appropriate correction is required. 

4. The disclosure is objected to because of the following informalities: "CPU" (page 
14, line 18), "RAM" (page 14, line 20). While well known in the art, these terms have not 
been defined. 
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Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the Invention was made. 

6. Claims 1-10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Fox et al. (US Patent Number: 6,535,227), and further in view of Alves-Foss et al. 
(NPL Document: Assessing Computer Security Vulnerability). 

Regarding claim 1. Fox et al. teach a method for offering security level 
comprising the steps of: (a) specifying, based on configuration information on a specific 
equipment, a vulnerability of said equipment, and associating information of the 
vulnerability with said equipment, said information of the vulnerability including a threat 
level value of the vulnerability (column 7, lines 45-60); (b) computing a security level 
value of the vulnerability of the specific equipment (column 7, lines 45-60); and (c) 
outputting security level information based on the security level value obtained in said 
step (b) (column 7, lines 45-60, column 8, lines 64-67, column 9, lines 1-25). Fox et al. 
do not disclose expressly threat level value of the vulnerability based on the type of this 
equipment, the threat level value of the vulnerability for which no modification has been 
taken regarding this equipment, and the number of days while the vulnerability has been 
left without any modification taken for the vulnerability. Fox et al. combine multiple types 
of data, from multiple sources, with other contextual information to from an integrated 
view of a networked system's security posture (column 11, lines 1-10). However, Alves- 
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Foss et al. teach measuring a System Vulnerability Index based on system 
characteristics, potentially neglectful acts, and potentially malevolent acts (pages 4-12). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to compute a security level value based on the type of this 
equipment, the threat level value of the vulnerability for which no modification has been 
taken regarding this equipment, and the number of days while the vulnerability has been 
left without any modification taken for the vulnerability. One of ordinary skill in the art 
would have been motivated to perform such a modification to because it was well 
known in the art at the time the invention was made to combine multiple types of data to 
assess the security of a system and provide a gauge for appraising system 
vulnerabilities (Alves-Foss et al., pages 3-6). 

Regarding claim 2, the combination of Fox et al. and Alves-Foss et al. teach the 
limitations as set forth under claim 1 above. Furthermore, Alves-Foss et al. teach (d) 
computing a security level value of said equipment by comparing the security level 
values of vulnerabilities when there are a plurality of vulnerabilities associated with said 
equipment, which have not been modified, and setting a security level value with the 
highest threat level value among the security level values of said vulnerabilities as the 
security level value of said equipment, and wherein said step (c) outputs the security 
level information based on the security value of said equipment obtained in step (d) 
(pages 4-12), The reasoning for combining is the same as that for claim 1 above. 

Regarding claim 3, the combination of Fox et al. and Alves-Foss et al. teaches 
the limitations as set forth under claim 2 above. Furthermore, Fox et al. teach (e) 
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computing the security level value of a network when a plurality of equipments are 
connected to the network, by comparing security level values of the equipments, and 
setting a security level value with the highest threat level value among the security level 
values of said equipments as the security level value of said network (column 7, lines 
45-67, column 8, lines 44-67), and wherein said step (c) outputs security level 
information based on the security value of said network (column 7, lines 45-60, column 
8. lines 64-67, column 9, lines 1-25). 

Regarding claim 4, the combination of Fox et al. and Alves-Foss et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Fox et al. teach wherein 
said step (c) outputs security information based on both security level value obtained in 
the step (b) and basic security information computed based on a basic configuration, 
etc. of the equipment or the network (column 7, lines 45-60, column 8, lines 64-67, 
column 9, lines 1-25). 

Regarding claim 5, the combination of Fox et al. and Alves-Foss et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Alves-Foss et al. teach 
wherein said step (c) comprises a step of expressing said security level value in 
comparison with a security level reference value of a relevant system or the network to 
which said system is connected (pages 3-9). The reasoning for combining is the same 
as that for claim 1 above. 

Regarding claim 6, Fox et al. teach a configuration information storing unit for 
storing configuration information on the computer system to be monitored (column 9, 
lines 5-15); a vulnerability information storing unit for storing various types of updated 
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vulnerability information including at least a threat level value of the vulnerability 
(column 15, lines 25-32); a vulnerability information offering unit to extract vulnerability 
information to be applied to said computer system from said vulnerability information 
storing unit based on said configuration information, and to associate the vulnerability 
information with this computer system (column 7, lines 45-60); a security level 
computing unit for computing, regarding a specific equipment, a security level regarding 
the vulnerability of said equipment (column 7, lines 45-60); and a security level 
information generating unit for generating and output security level information based on 
the security level value obtained in said computing unit (column 7, lines 45-60, column 
8, lines 64-67, column 9, lines 1-25). Fox et al. do not disclose expressly a vulnerability 
modification information storing unit for storing the information on whether or not a 
system manager has applied modification work based on this vulnerability information. 
However, Examiner takes Official Notice that storing information regarding the actions 
taken on a particular task was conventional and well known. Therefore, it would have 
been obvious to one having ordinary skill in the art at the time the invention was made 
to store a modification log related to actions taken regarding vulnerabilities found since 
Examiner takes Official Notice that it was conventional and well known. Fox et al. do not 
disclose expressly computing a security level regarding the vulnerability of said 
equipment from a type of this equipment, the threat level value of the vulnerability that 
has not been modified with regarding this equipment, and the number or days while the 
vulnerability has been left without any modification taken. Fox et al. combine multiple 
types of data, from multiple sources, with other contextual information to from an 
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integrated view of a networked system's security posture (column 11, lines 1-10). 
However, Alves-Foss et al. teach measuring a System Vulnerability Index based on 
system characteristics, potentially neglectful acts, and potentially malevolent acts 
(pages 4-12). Therefore, it would have been obvious to one having ordinary skill in the 
art at the time the invention was made to compute a security level value based on the 
type of this equipment, the threat level value of the vulnerability for which no 
modification has been taken regarding this equipment, and the number of days while 
the vulnerability has been left without any modification taken for the vulnerability. One of 
ordinary skill in the art would have been motivated to perform such a modification to 
because it was well known in the art at the time the invention was made to combine 
multiple types of data to assess the security of a system and provide a gauge for 
appraising system vulnerabilities (Alves-Foss et al., pages 3-6). 

Regarding claim 7, the combination of Fox et al. and Alves-Foss et al. teach the 
limitations as set forth under claim 6 above. Furthermore, Alves-Foss et al. teach a 
security level value comparing unit to compute a security level value of said equipment 
by comparing security level values of vulnerabilities when there are a plurality of 
vulnerabilities associated with said equipment, which have not been modified, and 
setting a security level value with the highest threat level among the security level 
values of said vulnerabilities as the security level value of said equipment, and wherein 
said security level information generating unit generates security level information 
based on said security level value of said equipment computed by the security level 
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value comparing unit (pages 4-12). The reasoning for combining is the same as that for 
claim 6 above. 

Regarding claim 8, the combination of Fox et al. and Alves-Foss et al. teaches 
the limitations as set forth under claim 7 above. Furthermore, Fox et al. teach wherein 
said security-level value comparing unit computes a security value of a network by 
comparing security level values of equipments when a plurality of equipments are 
connected to said network, and setting a security level value with the highest level of 
threat among the security level values of said equipments as the security value level of 
said network (column 7, lines 45-67, column 8, lines 44-67); and said security level 
information generating unit outputs security level infomiation based on the security level 
value of said network computed by the security level value comparing unit (column 7, 
lines 45-60, column 8, lines 64-67, column 9, lines 1-25). 

Regarding claim 9, the combination of Fox et al. and Alves-Foss et al. teaches 
the limitations as set forth under claim 6 above. Furthermore, Fox et al. teach wherein 
said security level information generating unit outputs security information based on 
both security value obtained in said security level computing unit and basic security 
information computed based on a basic configuration, etc. of an equipment or a network 
(column 7, lines 45-60, column 8, lines 64-67, column 9, lines 1-25). 

Regarding claim 10, the combination of Fox et al. and Alves-Foss et al. teaches 
the limitations as set forth under claim 6 above. Furthermore, Alves-Foss et al. teach 
wherein said security level information generating unit expresses said security level 
value in comparison with a security reference value of a relevant system or the network 
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to which this system is connected (pages 3-9). The reasoning for combining is the same 
as that for claim 6 above. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David G. Cervetti whose telephone number i3 (571) 272- 
5861. The examiner can normally be reached on Monday-Friday 7:00 am - 5:00 pm, off 
on Wednesday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on (571) 272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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